为部署为 Web 服务的模型配置身份验证Configure authentication for models deployed as web services

使用 Azure 机器学习,可以将经过训练的机器学习模型部署为 Web 服务。Azure Machine Learning allows you to deploy your trained machine learning models as web services. 本文介绍如何为这些部署配置身份验证。In this article, learn how to configure authentication for these deployments.

可以将 Azure 机器学习创建的模型部署配置为使用两种身份验证方法之一:The model deployments created by Azure Machine Learning can be configured to use one of two authentication methods:

  • 基于密钥:使用静态密钥向 Web 服务进行身份验证。key-based: A static key is used to authenticate to the web service.

  • 基于令牌:必须从 Azure 机器学习工作区(使用 Azure Active Directory)获取临时令牌,并用于对 Web 服务进行身份验证。token-based: A temporary token must be obtained from the Azure Machine Learning workspace (using Azure Active Directory) and used to authenticate to the web service. 此令牌在一段时间后将过期,并且必须刷新才能继续使用 Web 服务。This token expires after a period of time, and must be refreshed to continue working with the web service.

    备注

    只有部署到 Azure Kubernetes 服务时,基于令牌的身份验证才适用。Token-based authentication is only available when deploying to Azure Kubernetes Service.

基于密钥的身份验证Key-based authentication

部署在 Azure Kubernetes 服务 (AKS) 上的 Web 服务默认情况下会启用基于密钥的身份验证。Web-services deployed on Azure Kubernetes Service (AKS) have key-based auth enabled by default.

默认情况下,Azure 容器实例 (ACI) 部署的服务禁用基于密钥的身份验证,但你可以在创建 ACI Web 服务时通过设置 auth_enabled=True 来启用它。Azure Container Instances (ACI) deployed services have key-based auth disabled by default, but you can enable it by setting auth_enabled=Truewhen creating the ACI web-service. 以下代码是一个示例,演示了如何创建启用了基于密钥的身份验证的 ACI 部署配置。The following code is an example of creating an ACI deployment configuration with key-based auth enabled.

from azureml.core.webservice import AciWebservice

aci_config = AciWebservice.deploy_configuration(cpu_cores = 1,
                                                memory_gb = 1,
                                                auth_enabled=True)

然后可以通过 Model 类在部署中使用自定义 ACI 配置。Then you can use the custom ACI configuration in deployment using the Model class.

from azureml.core.model import Model, InferenceConfig


inference_config = InferenceConfig(entry_script="score.py",
                                   environment=myenv)
aci_service = Model.deploy(workspace=ws,
                       name="aci_service_sample",
                       models=[model],
                       inference_config=inference_config,
                       deployment_config=aci_config)
aci_service.wait_for_deployment(True)

若要提取身份验证密钥,请使用 aci_service.get_keys()To fetch the auth keys, use aci_service.get_keys(). 若要重新生成密钥,请使用 regen_key() 函数并传递“主要”或“辅助”密钥 。To regenerate a key, use the regen_key() function and pass either Primary or Secondary.

aci_service.regen_key("Primary")
# or
aci_service.regen_key("Secondary")

基于令牌的身份验证Token-based authentication

如果要为 Web 服务启用令牌身份验证,用户必须向 Web 服务提供 Azure 机器学习 JSON Web 令牌才能访问。When you enable token authentication for a web service, users must present an Azure Machine Learning JSON Web Token to the web service to access it. 令牌在指定的时间范围后过期,需要刷新才能继续调用。The token expires after a specified time-frame and needs to be refreshed to continue making calls.

  • 部署到 Azure Kubernetes 服务时,会默认禁用令牌身份验证。Token authentication is disabled by default when you deploy to Azure Kubernetes Service.
  • 部署到 Azure 容器实例时,不支持令牌身份验证。Token authentication isn't supported when you deploy to Azure Container Instances.
  • 令牌身份验证 不能与基于密钥的身份验证同时使用Token authentication can't be used at the same time as key-based authentication.

若要控制令牌身份验证,请在创建或更新部署时使用 token_auth_enabled 参数:To control token authentication, use the token_auth_enabled parameter when you create or update a deployment:

from azureml.core.webservice import AksWebservice
from azureml.core.model import Model, InferenceConfig

# Create the config
aks_config = AksWebservice.deploy_configuration()

#  Enable token auth and disable (key) auth on the webservice
aks_config = AksWebservice.deploy_configuration(token_auth_enabled=True, auth_enabled=False)

aks_service_name ='aks-service-1'

# deploy the model
aks_service = Model.deploy(workspace=ws,
                           name=aks_service_name,
                           models=[model],
                           inference_config=inference_config,
                           deployment_config=aks_config,
                           deployment_target=aks_target)

aks_service.wait_for_deployment(show_output = True)

如果启用了令牌身份验证,可以使用 get_token 方法检索 JSON Web (JWT) 令牌以及该令牌的到期时间:If token authentication is enabled, you can use the get_token method to retrieve a JSON Web Token (JWT) and that token's expiration time:

提示

如果使用服务主体获取令牌,并希望它具有检索令牌所需的最小访问权限,请向其分配工作区的“读取者”角色。If you use a service principal to get the token, and want it to have the minimum required access to retrieve a token, assign it to the reader role for the workspace.

token, refresh_by = aks_service.get_token()
print(token)

重要

需要在令牌的 refresh_by 时间后请求一个新令牌。You'll need to request a new token after the token's refresh_by time. 如果需要刷新 Python SDK 外的令牌,一个选择是使用服务主体身份验证的 REST API 定期进行 service.get_token() 调用,如前文所述。If you need to refresh tokens outside of the Python SDK, one option is to use the REST API with service-principal authentication to periodically make the service.get_token() call, as discussed previously.

我们强烈建议在 Azure Kubernetes 服务群集所在的相同区域中创建 Azure 机器学习工作区。We strongly recommend that you create your Azure Machine Learning workspace in the same region as your Azure Kubernetes Service cluster.

若要使用令牌进行身份验证,Web 服务将调用创建 Azure 机器学习工作区的区域。To authenticate with a token, the web service will make a call to the region in which your Azure Machine Learning workspace is created. 如果工作区的区域不可用,即使你的群集和工作区不在同一区域,你也无法获取 Web 服务的令牌。If your workspace region is unavailable, you won't be able to fetch a token for your web service, even if your cluster is in a different region from your workspace. 结果是直到工作区的区域再次可用时,Azure AD 身份验证才可用。The result is that Azure AD Authentication is unavailable until your workspace region is available again.

此外,群集区域和工作区区域的距离越远,获取令牌所需的时间就越长。Also, the greater the distance between your cluster's region and your workspace region, the longer it will take to fetch a token.

后续步骤Next steps

若要详细了解如何向已部署的模型进行身份验证,请参阅为部署为 Web 服务的模型创建客户端For more information on authenticating to a deployed model, see Create a client for a model deployed as a web service.